Understand how the Referrer-Policy header affects what information is sent when navigating between pages.
Select a referrer policy and click a link to see what referrer is sent.
Tip: Open DevTools Network tab before clicking. Look for the "Referer" request header to see what was sent.
no-referrerHigh PrivacyNever send the Referer header
https://example.com/page → (nothing)
no-referrer-when-downgradeLow PrivacySend full URL unless going from HTTPS to HTTP
https://example.com/page → https://example.com/page
originMediumSend only the origin (domain), not the path
https://example.com/page → https://example.com/
origin-when-cross-originMediumFull URL for same-origin, origin only for cross-origin
Cross-origin: https://example.com/page → https://example.com/
same-originHigh PrivacySend full URL only for same-origin requests
Cross-origin: (nothing)
strict-originMediumSend origin only, but not on HTTPS→HTTP
https://example.com/page → https://example.com/
strict-origin-when-cross-originMediumFull URL for same-origin, origin for cross-origin (default)
Default browser policy for most browsers
unsafe-urlLow PrivacyAlways send full URL (including path and query)
https://example.com/secret?token=123 → https://example.com/secret?token=123
Use strict-origin-when-cross-origin as a balanced default. It protects path information on cross-origin requests while allowing same-origin referrer.
Use no-referrer for links to external sites where you want maximum privacy.
Avoid unsafe-url as it can leak sensitive data in URLs (tokens, session IDs, etc.).
Referrer-Policy: strict-origin-when-cross-origin
<meta name="referrer" content="strict-origin-when-cross-origin">
<a href="https://example.com" referrerpolicy="no-referrer">Link</a>